http://www.databreaches.net/?p=9329
Heartland breach shows why compliance is not enough
January 6, 2010 by admin Filed under Commentaries and Analyses, Financial Sector
Jaikumar Vijayan reports:
The [Heartland] intrusion led to the “stark realization that passing a PCI security audit does not make a company secure,” said Avivah Litan, an analyst at research firm Gartner Inc. “This was known well before the breach, but Heartland served as a big pail of ice water thrown on the face of companies complying with PCI,” she said.
The intrusion highlighted “very clearly and with no uncertain doubt” that companies needed to worry about securing their systems first rather than complying with PCI standards, Litan said. The Heartland breach showed that it was worth it for companies to go beyond the requirements of the PCI standard by implementing technologies such as end-to-end encryption for protecting cardholder data, she added.
The Heartland incident showed that compliance with standards such as PCI is meaningless unless there is a way of monitoring that compliance on a continuous basis, said Philip Lieberman, CEO of Lieberman Software Corp., a Los Angeles-based vendor of identity management products.
“There is nothing wrong with PCI. It is a good standard,” Lieberman said. “But it also has a fundamental flaw.” PCI compliance, he said, is a “point-in-time” certification of a company’s readiness to handle security threats. However, there is no continuous process for monitoring compliance built into the PCI standard, he said. As a result, there is no way of knowing if a company that was certified as being compliant one day is still maintaining that compliance the next day.
Read more on Computerworld.
(Related)
http://www.databreaches.net/?p=9335
Companies have just months to replace old wireless payments systems
January 7, 2010 by admin Filed under Uncategorized
Retailers and caterers have just six months to replace old systems if they are to continue to use wireless card payment technology. The industry payment security body might revoke the right to process cards for companies that do not upgrade their technology.
The Payment Card Industry (PCI)’s Data Security Standard (DSS) is the set of technical requirements which must be met by retailers who want to process cards.
It was changed in 2008 to ban the use of Wired Equivalent Privacy (WEP) technology in the transmission of card details from mobile card terminals to the main part of a system.
Read more on Out-Law.com
[From the article:
From last year companies were barred from installing new systems that use WEP and from June of this year companies will be stopped from using WEP-based systems at all. The PCI's Security Standards Council (SSC) said that any company still using WEP after that date would not be compliant with PCI DSS. [What's wrong with this picture: WEP encryption is not compliant, but you are still PCI compliant until June. Bob]
For your C-level managers and your Security Manager
Enterprise Security For the Executive
Posted by samzenpus on Wednesday January 06, @01:56PM from the read-all-about-it dept.
brothke writes
[A book review. Bob]
One thing that Bayuk does very well repeatedly throughout the book is to succinctly identify an issue and its cause. In chapter 6 — Navigating the Regulatory Landscape — she writes that if a CxO does not have management control over an organization, then the organization will fail the audit. It will fail because even if the organization is secure today, there is no assurance that it will be going forward. In addition, control means that the CxO will ensure that the organization is attempting to do the right thing. And in such cases, passing an audit is much easier.
For your Security Manager. Should I be offended that I didn't get this Phishing email?
Fake "Bill Gates" Message Dupes Top Tools
Posted by timothy on Wednesday January 06, @05:00PM from the top-tools-are-working-on-it-top-tools dept.
yahoi writes with this excerpt from Dark Reading that might raise sysadmins' eyebrows about email security, in particular given the big names involved:
"A researcher who conducted a successful spear-phishing experiment with a phony LinkedIn invitation from 'Bill Gates' is about to reveal the email products and services that failed to filter the spoofed message — and that list includes Microsoft Outlook 2007, Microsoft Exchange, Outlook Express, and Cisco IronPort. ... The experiment was aimed at measuring the effectiveness of email security controls in several major products and services. And the simplicity and success of the test demonstrated just how powerful social engineering can be and what little technology can actually do about it, security experts say."
Very political. Comments are split between Liberal and Conservative. Sad that there is no consensus on how to secure our borders.
http://www.pogowasright.org/?p=6840
War Blogger May Sue Over Handcuffing At Seattle Airport
January 7, 2010 by Dissent Filed under Featured Headlines, Surveillance
Declan McCullagh writes:
A blogospheric flap complete with threats of legal action has arisen after Michael Yon, the popular war blogger and former Green Beret, said he was detained upon returning to the United States and asked about how much money he makes every year.
Yon posted on Facebook on Tuesday that he was handcuffed and “arrested at the Seattle airport” for refusing questions, including ones related to his annual income, that “had nothing to do with national security.”
Read more on the flap on CBS.
Declan provides links to a number of commentaries, including a post by former former undersecretary for policy at Homeland Security, Stewart Baker, with the catchy title, “Actually, a Chip That Big Will Have to Come Off Your Shoulder and Go Through the X-Ray.” But as he points out, the public does not have full information on the incident from either side.
(Related) Are border guards delusional or do they make this stuff up to justify the funds spent?
http://www.bespacific.com/mt/archives/023192.html
January 06, 2010
UK E-Borders Program
"The UK Border Agency is responsible for delivering the e-Borders programme, and we are doing so with the support of the police and HM Revenue & Customs. We are working closely with the travel industries, whose support is crucial to the programme's success. Information will be gathered on all travellers, passengers and crew entering or leaving the country by air, sea or rail. It will allow us to identify passengers who are a potential risk and alert the relevant authorities."
[Of course they can not identify “passengers who are a potential risk” by the information this program provides. They can match the names to another list, and if Osama bin Laden travels under his own name they can be ready to welcome him to the UK. Bob]
New laws to ignore!
http://www.phiprivacy.net/?p=1770
Nevada and New Hampshire Data Security and Privacy Laws Take Effect
By Dissent, January 7, 2010 8:50 am
[From the article:
February 2010, the federal regulations addressing breaches of unsecured PHI will become effective.
No doubt this “secret law” came as a great shock to HHS. (Shame on Congress for pulling a Dean Wormer) If they had had a few months advance warning, no doubt they would already be posting these reports.
http://www.phiprivacy.net/?p=1755
More on the HITECH-mandated breach reports on HHS
By Dissent, January 6, 2010 1:40 pm
Several weeks ago, I initiated an inquiry about the breach reports that I expected to see on HHS’s web site. Under the new HITECH Act provisions, covered entities experiencing breaches involving the unsecured PHI of 500 or more patients are required to report the incident to HHS – if the incident meets the “harm threshold” that HHS added to the regulations despite the language of the statute and Congress’s clear intentions. Did the harm threshold give everyone a “pass” on reporting incidents to HHS, or is HHS just behind in getting the reports up on their web site? Inquiring minds wanted to know.
As it turns out, HHS has received breach reports under the new law, but is first working out a number of issues before reports will be uploaded to their site. According to a senior health information privacy specialist with whom I spoke yesterday, HHS has not yet determined whether the reports submitted to it in various formats should be uploaded as is or whether some “user-friendly” report should be provided by HHS for the incident. HHS is also reportedly concerned about going through documentation carefully to ensure that they do not accidentally publicly reveal any personal information that might be contained in any reports. According to the specialist, HHS has not created or disseminated any template for covered entities to use in reporting incidents.
Predictably, I tried to encourage HHS to just upload what they get — just as a number of states do. While HHS is uploading what they already have, they can develop a template that includes the kind of details those of us who track and analyze breaches will find helpful. Somehow I doubt they’ll take my well-meant advice, however.
So when will we actually see the first reports showing up on HHS’s web site? The specialist could not say, but I hope the fact that HHS knows that people are waiting and inquiring will encourage them to get the information out to the public sooner rather than later. Nor did the specialist know how many reports HHS has already received, but he did say that they were receiving reports from all over.
In the meantime, I’ll just sit over here and wonder about what we’ll learn when reports are finally available for public inspection.
I doubt anyone will read this before buying.
http://www.pogowasright.org/?p=6832
Updated and Corrected: E-Book Buyer’s Guide to Privacy
January 7, 2010 by Dissent Filed under Internet
Ed Bayley of EFF writes:
A few weeks ago, EFF published its first draft of a Buyer’s Guide to E-Book Privacy, which summarized and commented on the privacy-related policies and behaviors of several e-readers. In that first draft we incorporated the actual language of the privacy policies as much as possible, which unfortunately created some confusion since companies generally use different language to address similar issues. We also did a few other things clumsily.
Since then, thanks to the feedback and corrections we’ve received, we’ve made some updates and corrections to the guide which we hope will make it more useful. First, we’ve re-written many of the questions and answers to provide more clarity about the behavior of each e-reader. Second, we’ve tried point out where companies’ privacy policies themselves are unclear on particular issues. And finally, we’ve made the whole thing easier to read by changing its visual layout.
No more secret agents. (Get it? Agents... Agency...) How are organizations going to stop this?
http://www.pogowasright.org/?p=6838
Businesses May be Liable for Employee Statements on Social Networking Sites, says new FTC Guidelines
January 7, 2010 by Dissent Filed under Businesses, Internet, Workplace
Michael Overly writes:
New FTC guidelines (http://www.ftc.gov/os/2009/10/091005revisedendorsementguides.pdf) that went into effect on December 1, 2009, may impose liability on businesses for statements their employees make on social networking sites like Facebook, Twitter, LinkedIn, MySpace, personal blogs, and other sites – even if the company had no actual knowledge those statements were being made. Specifically, if an employee makes comments about the business’ products and services and that employee fails to disclose their employment relationship with the business, the business may be subject to an enforcement action for deceptive endorsements.
The FTC guidelines state that where a connection exists between the speaker and the company selling the products and/or services and that connection would materially affect the weight or credibility of the speaker’s statements, the connection must be fully disclosed.
Read more on CSO.
There's an army out to get you... (Computer Security test question: Name them.)
http://www.databreaches.net/?p=9327
Today’s burning question
January 6, 2010 by admin Filed under Malware
How many new strains of malware were identified in 2009?
(a) 12,186,379
(b) about 18 million
(c) over 25 million
Answer: (c), according to PandaLabs. Read more on InfoWorld.
Know your target
http://www.bespacific.com/mt/archives/023197.html
January 06, 2010
Pew: Updated Demographics for Internet, Broadband and Wireless Users
Updated Demographics for Internet, Broadband and Wireless Users, January 5, 2010
"74% of American adults (ages 18 and older) use the internet -- a slight drop from our survey in April 2009, which did not include Spanish interviews. At that time we found that 79% of English-speaking adults use the internet.
60% of American adults use broadband connections at home -- a drop that is within the margin of error from 63% found in April 2009.
55% of American adults connect to the internet wirelessly, either through a WiFi or WiMax connection via their laptops or through a handheld device like a smart phone. This figure did not change in a statistically significant way during 2009."
Useful stuff?
http://www.bespacific.com/mt/archives/023188.html
January 06, 2010
What's New in THOMAS
News release: "Several changes have been made to THOMAS for the second session of the 111th Congress. These changes include: Bookmarking and Sharing Widget; Top Five Bills; New RSS feed: Bills Presented to the President; Contacting Members of Congress; Tip of the Week; Bill Text PDFs."
Trekkies will love it!
Turn Your Android Phone Into A Real Star Trek Tricorder
By Ryan Dube on Jan. 6th, 2010
Humor? They claim not.
Mobile phone emissions reverse the effects of Alzheimer's
by Stevie Smith - Jan 7 2010, 10:22
The future according to Jonathan (an hour long video)
Jonathan Zittrain Predicts Web 3.0 Will Be More Human
Today only!
http://www.giveawayoftheday.com/streaming-video-recorder-holiday/
Giveaway of the Day - Streaming Video Recorder 2.0.7
No comments:
Post a Comment